TrickGate is a transformative, shellcode-based packer-as-a-service used to conceal malware from security tools since 2016 and has wrapped a wide range of threats including Cerber, Trickbot, Maze, and Emotet. The packer’s core building blocks—shellcode loader, shellcode, and payload—are repeatedly updated to stay under the radar, with Check Point noting that TrickGate can be detected and blocked at the wrapper level.
#TrickGate #Cerber #Trickbot #Maze #Emotet #CobaltStrike
#TrickGate #Cerber #Trickbot #Maze #Emotet #CobaltStrike
Keypoints
- TrickGate first appeared in 2016 as a packer that hides malware from EDRs and AVs and is offered as a service.
- Over six years it has been used to wrap top malware families, including Cerber, Trickbot, Maze, Emotet, REvil, AZORult, Formbook, and AgentTesla.
- The packer is highly transformative, changing its wrapper periodically to stay invisible to security products, which led researchers to identify it under multiple names.
- The attackers’ toolkit relies on a three-part structure: shellcode loader, shellcode, and payload, with the loader decrypting and executing the shellcode.
- Initial access is primarily via phishing emails with malicious attachments or links; first-stage files are often archived executables or various document formats.
- Core techniques include API hashing, direct kernel injections via Nt* calls, and the use of Hell’s Gate-style dynamic syscall retrieval to run shellcode.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Initial access via “phishing emails with malicious attachments” and other methods. [“The initial access made by the packer’s users can vary significantly. We monitor the packed samples spreading mainly via phishing emails with malicious attachments, but also via malicious links.”]
- [T1566.002] Phishing: Spearphishing Link – Initial access via “malicious links.” [“…or via malicious links.”]
- [T1027] Obfuscated/Compressed Files and Information – TrickGate wrapper is transformed and hides needed strings; “API hashing” hides Windows APIs. [“The packer… makes it harder for antivirus programs to detect the malicious code.” and “TrickGate uses a common technique called API hashing, in which all the needed Windows APIs are hidden with a hash number.”]
- [T1059] Command and Scripting Interpreter – Shellcode loader uses NSIS script, AutoIT script and C. [“We noticed 3 different types of code language used for the shellcode loader. NSIS script, AutoIT script and C all implement similar functionality.”]
- [T1140] Deobfuscate/Decode Files or Information – Payload is decrypted and loaded by the shellcode loader. [“The shellcode is the core of the packer. It’s responsible for decrypting the payload and stealthily injecting it into a new process.”]
- [T1055] Process Injection – Shellcode is injected into a newly created process after decryption. [“The shellcode is the core of the packer. It’s responsible for decrypting the payload and stealthily injecting it into a new process.”]
- [T1106] Native API – Direct kernel calls (NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection, NtWriteVirtualMemory, NtResumeThread) are used for injection; Hell’s Gate-like technique is employed to retrieve and execute direct syscalls. [“injection… is done by a set of direct calls to the kernel. For every one of these ntdll API calls: NtCreateSection… NtResumeThread.” and “Hell’s Gate… retrieve and execute direct syscall numbers.”]
Indicators of Compromise
- [Hash] SHA-1 – 3f5758da2f4469810958714faed747b2309142ae, 755ee43ae80421c80abfab5481d44615784e76da, and 2 more hashes (observed in figure captions for RAR/LNK/EXE flows)
- [Domain] jardinaix.fr – Example used in a URL; contains the malicious payload path. [URL: jardinaix[.]fr/w.exe]
- [IP] 192.227.196.211 – Example IP used in a flow; associated with XLD.exe delivery. [URL: 192.227.196[.]211/t.wirr/XLD.exe]
- [File name] w.exe, XLD.exe – Executables referenced in observed flows